Closed orolhawion closed 1 year ago
robin-nitrokey
commented
1 year ago The service might be using a different hash algorithm. You can use the --hash option for register to select a different algorithm (default: SHA1). If this does not help, we would need to know the service you use. If you don’t want to share it here, you can also send a mail to me directly or to support@nitrokey.com.
orolhawion
commented
1 year ago I tried Gitlab and GitHub, both are wrong. I also added the secret to my YubiKey 5 with the default options (sha1, 6 digits, totp), the codes from the YubiKey are different from the Nitrokey codes and valid for login. can you reproduce this with a GitHub account?
the only difference between the Nitrokey and YubiKey procedure is that for Nitrokey I have to provide the secret base32 encoded whereas the YubiKey just takes the secret string.
robin-nitrokey
commented
1 year ago I just tested it on GitHub and I did not have any issues.
the only difference between the Nitrokey and YubiKey procedure is that for Nitrokey I have to provide the secret base32 encoded whereas the YubiKey just takes the secret string.
How do you determine the secret? The secret in the QR code generated by GitHub already is Base32-encoded. Maybe you just have to drop the encoding step?
orolhawion
commented
1 year ago My password manager saves the URL otpauth://... that includes a variable named secret with a value which I presume to be the secret. skipping the base32 part fixed it for GitHub but not for Gitlab.
szszszsz
commented
1 year ago Hi! The OTP implementation used in the Nitrokey 3 firmware was tested against the test vectors provided in the specification for SHA1, so I expect this is some pynitrokey's UI/UX issue. Can you provide the rest of the URL (with the secret removed) for Gitlab? Perhaps other parameters have changed as well, like the mentioned algorithm or the number of digits.
I think it would be a good idea to have the whole URL interpreted by pynitrokey directly, instead of asking user to divide it properly. Moving to pynitrokey project.
robin-nitrokey
commented
1 year ago Gitlab works for me too. You just have to remove the spaces from the secret displayed in the UI (or use the secret from the OTP URL). Can you share the arguments you used to create the secret on the NK3?
robin-nitrokey
commented
1 year ago I think it would be a good idea to have the whole URL interpreted by pynitrokey directly, instead of asking user to divide it properly.
orolhawion
commented
1 year ago Gitlab works for me too. You just have to remove the spaces from the secret displayed in the UI (or use the secret from the OTP URL). Can you share the arguments you used to create the secret on the NK3?
When I just use the secret I get:
nitropy nk3 secrets register microsoft $(cat bb) Command line tool to interact with Nitrokey devices 0.4.36 Critical error: An unhandled exception occurred Exception encountered: Error('Non-base32 digit found')
That made me think that I should encode to base32 manually which creates an otp credential on the nitrokey but gives a wrong OTP.
The following secrets do not work as expected:
otpauth://totp/some.gitlab.de:my@mail.de?secret=mysecret&issuer=some.gitlab.instance
otpauth://totp/some%20companyname%3Amy%40mail.de?secret=mysecret&issuer=Microsoft
robin-nitrokey
commented
1 year ago And how did you create the secret on your NK3? I. e. which arguments did you pass to nitropy?
orolhawion
commented
1 year ago as stated above, I put the trimmed secret into a file (bb) and called cat or base32 on the file:
$ nitropy nk3 secrets register microsoft $(cat bb)
For github this works, for Microsoft and gitlab it does not.
robin-nitrokey
commented
1 year ago nitropy nk3 secrets register microsoft $(cat bb) Command line tool to interact with Nitrokey devices 0.4.36 Critical error: An unhandled exception occurred Exception encountered: Error('Non-base32 digit found')
This is very suspicious. The secret in a OTP URI must be base32-encoded according to the spec. So if you extracted the contents of bb from the OTP URI, this error should not occur.
orolhawion
commented
1 year ago Perhaps every otp Uri is suspicious that contains secrets which are not capitalized, at least this applies for all secrets that are not working.
The secrets that are not working seem to be base64 encoded. when I try to decode with base32 I get invalid input. When I try to decode with base64 I don't.
orolhawion
commented
1 year ago I believe the problem is the following: some secrets in otpauth:// Uris are not uppercased which causes an error when trying to create an otp credential from it. when I provide my microsoft secret uppercased, everything works as expected. Perhaps you could uppercase the secret as this would meet the requirements for a base32 encoded string.
orolhawion
commented
1 year ago I also get this on some secrets that seem to be ok:
~|⇒ nitropy nk3 secrets register dropbox $(cat bb) Command line tool to interact with Nitrokey devices 0.4.36 Critical error: An unhandled exception occurred Exception encountered: Error('Incorrect padding')
robin-nitrokey
commented
1 year ago I’ve created two issues to improve the UI:
I think this should fix your problem, so I’m closing this ticket. Please reopen if you run into any other issues. And thanks for the feedback!
I have issues with getting the secrets app to work on my Nitrokey 3C NFC, or at least it is not working as I would expect it to. I did the following:
The file 'MyApp' contains the trimmed OTP secret.
The OTP 204269 is different from what my password manager shows and is invalid for login.
What am I doing wrong?